Google authenticator : Access-Reject

Alan DeKok aland at
Tue Apr 24 16:00:12 CEST 2018

> On Apr 24, 2018, at 9:56 AM, <servernemesis at> <servernemesis at> wrote:
> (0) Received Access-Request Id 65 from to length 92
> (0)   User-Name = "user at"

  That's the full user name, *with* domain.

> (0) suffix: Checking for suffix after "@"
> (0) suffix: Looking up realm "" for User-Name = "user at"
> (0) suffix: No such realm ""
> (0)     [suffix] = noop

  And there's no realm, so the User-Name isn't being stripped of the domain name.

> (0) pam: Using pamauth string "radiusd" for pam.conf lookup
> (0) pam: ERROR: pam_authenticate failed: Authentication failure

  Does PAM (and everything past it) know about "user", or "user at"?

  If it doesn't know about the domain, then add a realm for "".  Make it LOCAL (see proxy.conf).

  Once that's done, FreeRADIUS will pass "user" to PAM, and it should work.

  *Reading* the debug output helps.  See also

  Alan DeKok.

More information about the Freeradius-Users mailing list